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Abstract. Dechene has proposed generalized Jacobians as a source of groups for public-key 
cryptosystems based on the hardness of the Discrete Logarithm Problem (DLP). Her specific 
proposal gives rise to a group isomorphic to the scmidircct product of an elliptic curve and 
a multiplicative group of a finite field. We explain why her proposal has no advantages over 
simply taking the direct product of groups. We then argue that generalized Jacobians offer 
poorer security and efficiency than standard Jacobians. 



1. Introduction 

Recently, Dechene [4] has proposed generalized Jacobians as a source of groups for public- 
key cryptosystems based on the hardness of the Discrete Logarithm Problem (DLP). Generalized 
Jacobians offer a natural generalization of both torus-based and curve-based cryptography. 

Dechene's specific proposal gives rise to a group isomorphic to the semidirect product of an 
elliptic curve £ (k) and a multiplicative group of a finite field G m (fc). She remarks in Section 6 
of [4] that the DLP in such a generalized Jacobian can be reduced to sequentially solving a DLP 
in £ (fc) followed by a DLP in G m (k) and so it is "at least as hard as a DLP in £(k) and at least 
as hard as a DLP in G m (fc)". 

Our main observation follows from applying the standard Pohlig-Hellman reduction and there- 
fore reducing to the case of elements of prime order. It then immediately follows (see Proposi- 
tion 2.1) that one can solve the DLP in the generalized Jacobian by solving a number of DLPs in 
£(k) and G m (k) in parallel. One concludes that the generalized Jacobian DLP is at most as hard 
as the DLP in £{k) and the DLP in G m (k). As we will explain, one can get the same security 
with greater efficiency by simply taking the direct product £ (k) x G m (fc). 

In our presentation we consider the DLP in the simpler and more general setting of extensions 
of algebraic groups. We will argue that extensions offer no advantages over the existing Jacobian 
or torus constructions for DLP-based cryptography. 

Throughout this article, we let k be a finite field. All varieties are nonsingular fc-varieties. We 
say that a morphism of algebraic groups is explicit if it may be evaluated in polynomial time. 
Algebraic groups are said to be explicitly isomorphic if there is an explicit isomorphism between 
them. All algebraic groups in this article are commutative, and written additively. We denote 
algebraic groups with script letters and their underlying varieties with capital letters: so if A is 
an algebraic group, then A denotes its underlying variety. 

2. Discrete Logarithms in Extensions of Commutative Algebraic Groups 

Fix a pair of algebraic groups A and B. An extension of A by B is an algebraic group C 
together with separable homomorphisms i : B — > C and n : C — > A, all defined over fc, such that 
the following sequence is exact: 

(1) Q->B^C^A^i). 

We will assume that the maps t, 7r, and l^ 1 (where it is defined) are explicit. A trivial example 
of an extension of A by B is the direct product C = A x B, with i and 7r the obvious maps. The 
motivating example for this work is the case where C is a generalized Jacobian: here A is the 
Jacobian of an algebraic curve, B is a certain affine algebraic group, 1 and the group structure of 



^The algebraic group in question is isomorphic to a product of multiplicative groups (i.e. a torus), together with 
a product of Witt groups, in which the DLP is trivial. 
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C is determined by a map c m : A 2 — > B. The generalized Jacobians proposed for cryptography by 
Dechene are the special case where A is an elliptic curve and B is the multiplicative group. 

We wish to assess the suitability of C as a source of groups for cryptography, compared with 
A and B. Suppose we wish to solve a DLP in a subgroup Q of C{k). The group Q is necessarily 
finite, and without loss of generality we may assume that Q is cyclic. By the standard reduction 
of Pohlig and Hellman [7], we may reduce to the case where the order of Q is prime. 

Proposition 2.1. Let Q be a subgroup ofC(k), of prime order I. If Q is contained in l(B), then 
the DLP in Q reduces to the DLP in a subgroup of order I in B{k). Otherwise, the DLP in Q 
reduces to the DLP in a subgroup of order I in A(k). 

Proof. If Q is a subgroup of t(B), then it is explicitly isomorphic to the subgroup t~ 1 (G) of B(k). 
Otherwise, Q has trivial intersection with the kernel of 7r, so it is explicitly isomorphic to the 
subgroup ir(Q) of A(k). □ 

Corollary 2.2. The DLP in C(k) is no harder than the hardest DLP in A(k) and B(k). 

Proposition 2.1 shows that if Q is not contained in l(B), then the DLP in Q reduces to the DLP 
in A(k). It is important to note that the absence of a natural projection from C to B docs not 
preclude the existence of a homomorphism mapping Q into B; thus the DLP in Q may, in some 
cases, be reduced to the DLP in B(k) as well. For many subgroups G, therefore, the DLP in Q is 
only as hard as the easier of the DLP in A(k) and the DLP in B(k). This means that we can have 
a relative loss in security in using extensions of A by B rather than using A and B independently. 

Remark 2.3. Couveignes [2] shows that if C is a commutative algebraic group extension of A by B, 
then there exists an algorithm to solve the DLP in C in subexponcntial time in the size of C if and 
only if there exists such algorithms for A and for B [2, Theorem 2]. This is due to the existence 
of a fc-rational isogeny (not constructed in [2]) from C to the direct product Ax B. 

3. Extensions Presented by Cocycles 

Extensions C of A by B are effectively determined by the choice of a symmetric 2-cocycle (cocycle 
in the sequel): that is, a map c : A 2 — > B satisfying the relations 

(2) c(P,Q) + c(P + Q,R) = c(Q,R)+c(P,Q + R) and c(P,Q) = c(Q, P) 

for all P, Q and R in A. Note that c is not required to be a homomorphism. 

Given a cocycle c : A 2 — > B, we construct an extension C of A by B as follows. The underlying 
variety of C is the direct product Ax B, the identity element is (0 A ,0b), and the group law and 
inverse maps are the morphisms m c : (Ax B) 2 — > Ax B and i c : A x B ^ A x B defined by 

m c : ((P A , P B ), (Q A , Q B )) (P A + Q A , P b + Qb + c{P a , Q a )) 

and 

*c ■■ (Pa, Pb) (-Pa, -Pb + c{P A , -Pa)) 
(here + and — denote group operations in A and B). Note that associativity and commutativity 
follow from the relations (2) above. We say that C is the algebraic group presented by the cocycle c. 
Generalized Jacobians (for background, see [8]) are examples of extensions presented by cocycles; 
we will give an example below. The direct product group A x B is the extension presented by the 
zero cocycle, sending each element of A 2 to 0g. Our assumption that t and tt are explicit holds in 
any extension presented by a cocycle, as shown by the following easy lemma. 

Lemma 3.1. Let O^B-^C^A^O be an extension presented by a cocycle c : A 2 — > B. 

(1) The injection i : B — > C is given by l(P) = (0 A ,P). The subgroups of C in the image of 
l are precisely those of the form {(0 A , P) : P in some subgroup of B}, and in such groups 
the map i~ x given by t _1 ((0^, P)) = P reduces the DLP to a DLP in B. 

(2) The projection tt : C — > A is given by tt(P a ,P b ) = P A . This map reduces the DLP in any 
subgroup of C not in the image of l to a DLP in A. 
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Lemma 3.1 implies that the difficulty of the DLP in C cannot be increased by a "clever" choice 
of c. Indeed, each prime-order subgroup Q of any extension C either projects faithfully into A or 
can be pulled back to B. In particular, the DLP in any extension of A by B is no harder than the 
DLP in the direct product Ax B. 

Suppose C is an extension presented by a cocycle c : A 2 — > B. Computing the group law in C 
requires the same computations as computing the group law in A x B, together with an application 
of the cocycle c and an extra group operation in B — so computing the group law in C requires 
at least as much space and time as computing the group law in A x B. Further, C and A x B 
have the same underlying variety, so representing their elements requires the same space. Thus 
computing in C requires at least as much time and space as computing in A x B. 

For the purposes of DLP-based cryptography, the group Ax B offers no advantages over A and 
B. We have seen that the DLP in A x B can be no harder than the hardest DLP in A or £>, and 
computing in Ax B requires at least as much space and time as computing in A and B separately. 
Therefore, using A x B in a DLP-based cryptosystem in place of A or B offers no advantage in 
security, while requiring more storage space and computing time. Similarly, using an extension C 
presented by a cocycle c : A 2 — > B instead of A or B alone offers no increase in security, since it 
has no larger prime-order subgroups than those already present in A and B, while requiring at 
least as much time and space as computing in A and B. We have thus derived the following result. 

Proposition 3.2. // C is an extension of A by B presented by a cocycle, then any DLP-based 
cryptosystem based on a subgroup of C(k) 

• is no more secure, 

• takes more space, and 

• is less computationally efficient 

than the analogous cryptosystem based on A(k) or B(k) (whichever has the harder DLP). 

Example 3.3. In [3] and [4], Dechcnc proposes certain generalized Jacobians of elliptic curves as a 
supply of cryptographic groups. Suppose £ is an elliptic curve over k, and let O be the identity of 
£. Let G m denote the multiplicative group over k (we will write its group law multiplicatively) . 
Fix points M and N (neither equal to O) on £: the effective divisor m = (M) + (N) is called 
the modulus. The generalized Jacobian Je,m is defined to be the extension of £ by G m presented 
by the cocycle c m (P,Q) = /p j Q(M)//p ! g(iV), where fp t Q is any function on E with divisor 
(P + Q) + (O) - (P) - (Q). 2 The group law on J £ . m is given by 

(P, A) + (Q, n) = (P + Q, A • M ■ c m (P, Q)). 

We remark that this group law was also used in Section 3 of [5]. 

The observations of Proposition 3.2 all apply to Je, m - We know that the DLP in Je,m(k) is no 
harder than the hardest DLP in £{k) and G m {k). Thus using cyclic subgroups of Je,m(k) instead 
of subgroups of £{k) or G m (k) requires extra work, and extra space, for no gain in security. Indeed, 
it is widely recognised that elliptic curves give better security and performance than multiplicative 
groups of finite fields. Hence, it would be better either to remove the G m (k) and use only £(k) 
(saving space and time), or spending the extra bits on a larger ground field K and using a prime 
order elliptic curve £{K) instead (maximizing security). 

Remark 3.4. Dechene suggests taking M and N to be defined over a finite extension K/k, so that 
the cocycle c m maps £{k) 2 into G m (K), and such that both £ (k) and G m {K) contains a subgroup 
of prime order I. Balasubramanian and Koblitz [1] have shown that for general elliptic curves, the 
degree of the smallest such extension (called the embedding degree) tends to grow with I, rendering 
computation in G m (K) and Q exponentially difficult. In practice, therefore, the suggestion requires 
£ to be a so-called pairing-friendly curve, which means there is a homomorphism from £ to G m 
as used in the Frey-Ruck and MOV attacks [5, 6]. As a result, this suggestion weakens £, and 
therefore (by Corollary 2.2) weakens j£. m . In fact, as noted above, the generalised Jacobian group 
law is the same as the method proposed by [5] for computing the Tate pairing (except the function 



We may take fp.Q = v/l, where / is the line through P and Q, and v is the vertical line through the third point 
of intersection of / with E. 
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is inverted). Hence, if m is the least common multiple of the order of P and the order of M — N 
in £(K), then computing m times (P, 1) gives (0, (P, M — N)^ 1 ). 
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